Azure Active Directory best practices for monitoring

Eddie_Hernandez 1 Reputation point

Hello. I've been tasked with figuring out what security related events we're collecting in Azure Active Directory, then finding the difference between that and best practices. The goal being to pull those events to our external monitoring tool using the Graph API.

Is there a 'Best Practices' list of events for Azure AD?

It seems like I can only send certain event categories to a workspace for the API to pull from, is there no way to send specific events to a workspace?

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,870 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,216 questions
{count} votes

1 answer

Sort by: Most helpful
  1. James Hamil 22,431 Reputation points Microsoft Employee

    Hi @Eddie_Hernandez , there aren't any official "Best practices" per say, as it differs depending on what your application is. Most people use sign in logs the most but other than that it's up to you. Can you explain more by what you mean about sending specific events to a workspace?

    Thank you,